Nmap Development mailing list archives

Re: Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option

From: "Duilio J. Protti" <dprotti () flowgate net>
Date: Wed, 31 Aug 2005 15:49:43 -0300

In fact, the problem is on function skip_range() on TargetGroup.cc:

for (i = oct; i >= 0; i--) {
  if (current[i] < last[i]) {
....

the problem is that i is an unsigned int, so decrementing never reachs a
negative value, but wraparound to the biggest unsigned int value.

When this happen, i is obviously >= 0, the for loop is entered, and
current[i] becames an invaled reference to memory.

Attached is the patch.


Regards,
Duilio.

Aaron J. Bedra wrote:

Here's the run and backtrace followed by my gcc ver

Hope this helps.


Regards,

Aaron J. Bedra


/*-----------Begin gdb Output------------------------*/
(gdb) run -sP -PS --excludefile exclude.list 192.168.2.0/24
Starting program: /home/abedra/nmap-3.84ALPHA1/nmap -sP -PS
--excludefile exclude.list 192.168.2.0/24

Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-31
12:56 EDT
Warning: File ./nmap-services exists, but Nmap is
using /usr/local/share/nmap/nmap-services for security and consistency
reasons.  set NMAPDIR=. to give priority to files in your local
directory (may affect the other data files too).

Program received signal SIGSEGV, Segmentation fault.
0x08082c48 in TargetGroup::skip_range (this=0x80f0fc0,
octet=THIRD_OCTET)
    at TargetGroup.cc:342
342           current[i] = 0;
(gdb) backtrace
#0  0x08082c48 in TargetGroup::skip_range (this=0x80f0fc0,
octet=THIRD_OCTET)
    at TargetGroup.cc:342
#1  0x08057485 in hostInExclude (checksock=0xbfffa540, checksocklen=16,
    exclude_group=0x80f0fc0) at targets.cc:1749
#2  0x0805249c in nexthost (hs=0x8101210, exclude_group=0x80f0fc0,
    ports=0x80d2450, pingtype=0x80ce658) at targets.cc:317
#3  0x0804e587 in nmap_main (argc=6, argv=0xbffff004) at nmap.cc:1034
#4  0x0804adde in main (argc=6, argv=0xbffff004, envp=0xbffff020)
    at main.cc:244
(gdb)
/*------------------------END---------------------------------*/

linux:/home/abedra/nmap-3.84ALPHA1 # gcc -v
Reading specs from /usr/lib/gcc-lib/i586-suse-linux/3.3.5/specs
Configured with: ../configure --enable-threads=posix --prefix=/usr
--with-local-prefix=/usr/local --infodir=/usr/share/info
--mandir=/usr/share/man --enable-languages=c,c++,f77,objc,java,ada
--disable-checking --libdir=/usr/lib --enable-libgcj --with-slibdir=/lib
--with-system-zlib --enable-shared --enable-__cxa_atexit i586-suse-linux
Thread model: posix
gcc version 3.3.5 20050117 (prerelease) (SUSE Linux)

Attachment: nmap-excludefile.patch
Description:



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option pijn trein (Aug 31)
- Re: Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option Aaron J. Bedra (Aug 31)
  - Re: Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option Duilio J. Protti (Aug 31)
  - Re: Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option Duilio J. Protti (Aug 31)
    - Re: Segfault in 3.83DC1 and 3.84ALPHA1 using --excludefile option Fyodor (Sep 04)